Why installing software updates makes us WannaCry

File 20170515 7005 1kosynyPeople don’t want to be interrupted to update their software.
irin73bal via Shutterstock.com

Elissa Redmiles, University of Maryland

The global ransomware attack called “WannaCry,” which began last week and continues today, could have been avoided, or at least made much less serious, if people (and companies) kept their computer software up to date. The attack’s spread demonstrates how hundreds of thousands of computers in more than 150 countries are running outdated software that leaves them vulnerable. The victims include Britain’s National Health Service, logistics giant FedEx, Spanish telecom powerhouse Telefonica and even the Russian Interior Ministry. The Conversation

The security flaw that allowed the attack to occur was fixed by Microsoft in March. But only people who keep their computers updated were protected. Details of the flaw were revealed to the public in April by the Shadow Brokers, a group of hackers who said they had stolen the information from the U.S. National Security Agency.

Attackers got into computers through that weakness and encrypted users’ data, demanding a ransom from anyone who wanted the data made usable again. But they didn’t win the race to exploit the flaw as much as people and computer companies collectively lost it. Our human tendencies and corporate policies worked against us. Research, including my own, tells us why, and offers some suggestions for how to fix it before the inevitable next attack.

Updating is a pain

All people had to do to stay safe from WannaCry was update their software. But people often don’t, for a number of specific reasons. In 2016, researchers from the University of Edinburgh and Indiana University asked 307 people to discuss their experiences of installing software updates.

Nearly half of them said they had been frustrated updating software; just 21 percent had a positive story to tell. Researchers highlighted the response of one participant who noted that Windows updates are available frequently – always the second Tuesday of every month, and occasionally in between those regular changes. The updates can take a long time. But even short updates can interrupt people’s regular workflow, so that study participant – and doubtless many others – avoids installing updates for “as long as possible.”

Some people may also be concerned that updating software could cause problems with programs they rely on regularly. This is a particular concern for companies with large numbers of computers running specialized software.

Adrienne Porter Felt Tweet

Is it necessary?

It can also be very hard to tell whether a new update is truly necessary. The software that fixed the WannaCry vulnerability came out in a regular second-Tuesday update, which may have made it seem more routine. Research tells us that people ignore repeated security warning messages. Consequently, these monthly updates may be especially easy to ignore.

The companies putting out the updates don’t always help much, either. Of the 18 updates Microsoft released on March 14, including the WannaCry fix, half were rated “critical,” and the rest were labeled “important.” That leaves users with little information they could use to prioritize their own updates. If, for example, it was clear that skipping a particular update would leave users vulnerable to a dangerous ransomware attack, people might agree to interrupt their work to protect themselves.

Even security experts struggle to prioritize. The day the fix was released, Microsoft watcher Chris Goettel suggested prioritizing four of the 18 updates – but not the one fixing WannaCry. Security company Qualys also failed to include that specific update in its list of the most important March updates.

Security pros, and everyone else


The most common recommendation is to update everything immediately. People just don’t do that, though. A 2015 survey by Google found that more than one-third of security professionals don’t keep their systems current. Only 64 percent of security experts update their software automatically or immediately upon being notified a new version is available. Even fewer – just 38 percent – of regular users do the same.

Another research project analyzed software-update records from 8.4 million computers and found that people with some expertise in computer science tend to update more quickly than nonexperts. But it’s still slow: From the time an update is released, it takes an average of 24 days before half of the computers belonging to software engineers are updated. Regular users took nearly twice as long, with 45 days passing before half of them had completed the same update.

Making updates easier

Experts might be quicker at updating because they understand better the potential vulnerabilities updates might fix. Therefore, they might be more willing to suffer the annoyances of interrupted work and multiple restarts.

Software companies are working on making updates more seamless and less disruptive. Google’s Chrome web browser, for example, installs updates silently and automatically – downloading new information in the background and making the changes when a user quits and then reopens the program. The goal is for the user not to know an update even happened.

That’s not the right choice for all kinds of updates, though. For example, the Windows update needed to protect against the WannaCry attack requires the computer to restart. Users won’t tolerate their computers shutting down and restarting with no warning.

Getting the message out

So computer companies must try to convince us – and we must convince ourselves – that updates are important. My own research focuses on doing just this, by producing and evaluating entertaining and informative videos about computer security.

An entertainment-education video about software updating produced by researchers at the University of Maryland.

In our first experiment evaluating the video, we conducted a month-long study to compare our video with an article of advice from security firm McAfee. The video was effective for more of our participants than the McAfee article was. Our video was also equally or more effective, overall, at improving people’s updating practices. Trying new approaches to teaching security behaviors such as our edutainment video, or even security comics, may be a first step toward helping us stay safer online.

Elissa Redmiles, Ph.D. Student in Computer Science, University of Maryland

This article was originally published on The Conversation. Read the original article.

Cybersecurity of the Power Grid: A growing challenge

A cyber attack on the electricity grid happened in Ukraine – could it happen here too? Valentyn Ogirenko/Reuters
A cyber attack on the electricity grid happened in Ukraine – could it happen here too? Valentyn Ogirenko/Reuters

Manimaran Govindarasu, Iowa State University and Adam Hahn, Washington State University

Called the “largest interconnected machine,” the U.S. electricity grid is a complex digital and physical system crucial to life and commerce in this country. Today, it is made up of more than 7,000 power plants, 55,000 substations, 160,000 miles of high-voltage transmission lines and millions of miles of low-voltage distribution lines. This web of generators, substations and power lines is organized into three major interconnections, operated by 66 balancing authorities and 3,000 different utilities. That’s a lot of power, and many possible vulnerabilities.

The grid has been vulnerable physically for decades. Today, we are just beginning to understand the seriousness of an emerging threat to the grid’s cybersecurity. As the grid has become more dependent on computers and data-sharing, it has become more responsive to changes in power demand and better at integrating new sources of energy. But its computerized control could be abused by attackers who get into the systems.

Until 2015, the threat was hypothetical. But now we know cyberattacks can penetrate electricity grid control networks, shutting down power to large numbers of people. It happened in Ukraine in 2015 and again in 2016, and it could happen here in the U.S., too.

As researchers of grid security, we know the grid has long been designed to withstand random problems, such as equipment failures and trees falling on lines, as well as naturally occurring extreme events including storms and hurricanes. But as a new document from the National Institute of Standards and Technology suggests, we are just beginning to determine how best to protect it against cyberattacks.

Understanding the Ukraine attacks

On Dec. 23, 2015, a cyberattack penetrated electricity distribution control centers in Ukraine using software vulnerabilities, stolen credentials and sophisticated malware. The attackers were able to open dozens of circuit breakers and shut off power to more than 200,000 customers for several hours.

A year later, the country’s electricity transmission facilities were attacked. That attack also cut off electricity service, though to a much smaller geographic area, and for only about an hour. In both cases, it is widely reported that hackers aligned with the Russian government were responsible.

How can we prevent this sort of attack in the U.S.?

Protecting the American electricity grid from cyberattacks is challenging not just because it is made up of so many physical and computerized elements connecting nearly every building in the country. It’s difficult because the grid has to continue to operate in real time, making adjustments to ensure the right amount of electricity gets where it needs to go at every moment.

And it’s especially hard because the electricity industry is used to a slower pace of technological advance: While computer technologies like smartphones and servers are updated every two to three years, grid infrastructure typically must operate for over a decade.

Increasingly computerized: electricity transmission lines.
Powerlines via shutterstock.com

Over time, though, older traditional electricity meters have given way to digital smart meters. Similarly, power substations that are crucial for converting electricity from high-voltage transmission lines to lower voltage for household use, are increasingly controlled via internet-enabled networks and software.

Security standards can help ensure utility companies keep their protection strong. The North American Electric Reliability Corporation, which oversees the grid in the U.S. and Canada, has rules, known as Critical Infrastructure Protection (CIP) compliance, for how electric companies must protect the power grid both physically and electronically. This includes monitoring the grid for attacks, as well as requiring safeguards such as multi-factor user authentication to keep unauthorized intruders from accessing control networks.

NERC also hosts regular tabletop simulation exercises, where electricity companies can practice defending against major attacks. The U.S. National Institute of Standards and Technology has its own recommendations, though they are not mandatory for utilities. A draft version of a new set of guidelines was just released, adding both urgency and detail for utility companies.

These standards, guidelines and exercises have significantly improved the security of the larger elements of the power system, such as power plants and high-voltage transmission networks. But they have done little to protect the low-voltage distribution networks that supply power directly to our homes and workplaces. Attacks on these low-voltage parts of the overall system cover less territory than intrusions at higher levels, but they can still cause large-scale power outages, like in Ukraine in 2015.

Defending the edges of distribution system is much more complicated than protecting its center. Not only are there many more physical locations to safeguard, but there are also many more companies involved in operating them. Municipal governments and utility cooperatives, for example, are significant distributors of electricity, and yet have limited security requirements. In addition, they may not have the money or expertise to protect their systems against cyberattacks.

Joining forces

The grid depends on a number of key control systems and algorithms, each of which presents its own unique vulnerabilities. The growing scale of this problem requires techniques to manage and reduce the number of vulnerable points the grid has.

Research into grid security is moving away from investigating ways to better handle equipment failures and natural disasters, and toward creating a well-defended power grid for the future. One approach could be to add more redundancy – additional equipment that can fill in when an attack takes out a power plant or a transmission line. That is very expensive, though.

The other approach involves systematically analyzing the risks inherent in critical systems and methodically defending against each of them. Key elements of this approach involve developing techniques that can prevent attacks, detect and respond to them when they happen, and allow us to investigate what happened after an attack has ended. That will help us to improve protection for the future.

This approach will require the industry to ensure each new device it connects to the grid is protected, no matter how small or how big. We’ll also have to develop new systems that can detect anomalous grid communications and create more secure network architectures for critical grid control systems.

In addition, regulators will need to keep updating the rules governing the industry to raise minimum security standards over time. Schools and universities will need to teach people to be not only electricity experts but cybersecurity defenders. Our ability to flip a switch and turn on the lights depends on it.

The Conversation

Manimaran Govindarasu, Professor of Electrical and Computer Engineering, Iowa State University and Adam Hahn, Assistant Professor of Electrical Engineering and Computer Science, Washington State University

This article was originally published on The Conversation. Read the original article.

Political Scrutiny 101 Top Stories in your inbox. Subscribe.

Judgment Day for the U.S. Surveillance State #CyberSecurity #NSA #PatriotAct

Judgment Day for the U.S. Surveillance State
assetContent (1)
A man types on a computer keyboard in Warsaw in this February 28, 2013 illustration file picture. Kacper Pempel/Reuters

When James A. Baker, the Federal Bureau of Investigation’s newly appointed general counsel, met for dinner with Google Executive Chairman Eric Schmidt a couple of months ago, the topic of national security and government surveillance came up. “He was deeply, deeply, deeply frustrated with the U.S. government, with what it’s willing to talk about and what it’s not willing to talk about” in terms of how it spies on Americans, Baker recalls.

He told this anecdote in late April at a cybersecurity conference in New York at Fordham Law’s Center on National Security before arriving at his main point: “Government surveillance is not that bad.” Schmidt’s well-publicized response? “Encrypt everything.”

Last week saw the first response to the issue by an appeals court outside the country’s secretive Foreign Intelligence Surveillance Court: The court ruled that the U.S. government’s long-held justification for the National Security Agency’s (NSA) bulk collection of Americans’ phone records and other data is illegal under the USA Patriot Act.

Specifically, the New York federal court found that the government’s broad interpretation of a provision of the Patriot Act, Section 215, did not provide sufficient legal cover for its sprawling surveillance program, which scoops up and stores for up to five years the “metadata” of Americans’ phone calls, such as who they call, how frequently and for how long. “The statutes to which the government points have never been interpreted to authorize anything approaching the breadth of the sweeping surveillance at issue here,” the U.S. Court of Appeals for the Second Circuit’s three-judge panel said. It added: “Congress cannot reasonably be said to have ratified the program of which many members of Congress—and all members of the public—were not aware.”

In other words, when Congress first passed the Patriot Act in 2001 and reauthorized it in 2011, it had no idea what it was agreeing to.

“It is a far stretch to say that Congress was aware of the [Foreign Intelligence Surveillance Court’s] legal interpretation of Section 215 when it reauthorized the statute,” the panel stated in its decision.

As is now well known, most members of Congress were not told of the government’s interpretation of Section 215 of the Patriot Act—including the member of Congress who wrote the legislation, Wisconsin Republican Jim Sensenbrenner. The interpretation remained classified for more than a decade, until June 2013, when former NSA contractor Edward Snowden exposed how it was being used by the U.S. intelligence community to justify monitoring Americans’ bulk communications.

Last week’s appeals court ruling not only struck a major blow against America’s national security apparatus, but it now sets the stage for what is expected to be a tough battle this month in Congress, which must decide whether to raze, renew or revise some of the most contentious portions of the Patriot Act, including Section 215, before they expire on June 1.

For the uninitiated, Section 215 allows the director of the Federal Bureau of Investigation (FBI), or a designee, to apply for orders requiring companies holding business records to produce “any tangible things” that might help the government conduct foreign-intelligence gathering or international terrorism investigations. Under the government’s interpretation of Section 215, the FBI—which has partnered up with the NSA in amassing and organizing the data—should be allowed to access any records deemed “relevant to an authorized investigation.”

“Somehow, they convinced the U.S. Foreign Intelligence Surveillance Court, which is supposed to prevent this from happening, that you cannot do this kind of data-mining without all the records, so all the records are relevant,” says Lee Tien, a senior lawyer at the Electronic Frontier Foundation, a nonprofit privacy-rights group based in San Francisco. “It’s hard to believe. How can you use a statute that has a ‘relevant’ standard to do a blanket collection?”

The appeals court, which overturned a lower district court ruling, agreed. “We hold that the text of 215 cannot bear the weight the government asks us to assign it, and that it does not authorize the telephone metadata program,” the judges said. “We do so comfortably in the full understanding that if Congress chooses to authorize such a far-reaching and unprecedented program, it has every opportunity to do so, and to do so unambiguously.”

Sensenbrenner has publicly stated that the interpretation of his language in Section 215 was stretched well beyond the intended meaning. He and Senator Patrick Leahy, a Democrat of Vermont, have introduced a bill, the USA Freedom Act, to rein in what they call the “eavesdropping, dragnet collection and online monitoring” of Americans. In late April, Republican Senate Majority Leader Mitch McConnell and Senate Intelligence Committee Chairman Richard Burr countered with a bill to extend Section 215 to the year 2020 without making any changes to it—legislation that looks a good deal shakier after the recent ruling.

The National Security Council (NSC) said in response to last week’s ruling that it’s working with Congress on reform legislation. “The President has been clear that he believes we should end the Section 215 bulk telephony metadata program as it currently exists by creating an alternative mechanism to preserve the program’s essential capabilities without the government holding bulk data,” said NSC spokesman Edward Price. Reached by Newsweek, NSA spokeswoman Vanee Vines deferred to the NSC’s statement.

Calling Section 215 “badly drafted,” “unnecessary” and “unproductive” (as in, it does not seem to do very much to catch terrorists), Richard Clarke, former counterterrorism adviser to presidents Bush and Clinton, told Newsweek that reforming Section 215 is at the very top of the list of 46 changes he proposed while part of a presidential panel convened by the Obama administration to review the NSA’s surveillance methods. “The government should not be holding that data,” he said.

The panel’s final review warned that if the U.S. continues on this track, it risks becoming a “police state.”

Fourth Amendment and free-speech advocates are quick to warn of the “chilling effect” on Americans’ freedom of speech and freedom of movement in the face of such surveillance—in effect, that they would no longer feel at liberty to act freely if they know they are being systematically watched and listened to.

Another concern, says the Electronic Frontier Foundation’s Tien, is that while the Patriot Act was originally intended to target terrorists in the aftermath of the September 11 attacks, there is growing evidence that its powers are being used in domestic law enforcement to target Americans. For instance, the NSA is permitted to pass on information and tips to the FBI and other agencies.

“The privacy and civil liberty concerns of all this information-sharing on Americans by the intelligence community and law-enforcement agencies is very real,” says Tien. “And our country has not yet had an opportunity to have an honest social and political debate about it.”

While the extent of information-sharing among U.S. agencies is not fully known, he says, it is clear there have been cases in which Americans have been unjustifiably caught in dragnets.

I witnessed such a case in 2003, when I received a panicked phone call at work from someone very close to me. This person—who does not want to be named, even today, because of what subsequently happened to her—had just arrived home after an evening away to find concerned neighbors informing her that her townhouse on a quiet block in Jersey City, New Jersey, had received a visit at dawn from police who were shouting and banging on her door.

Right away, we called the Jersey City police. They had no record of anyone coming to that address. She tried to find out if anyone knew anything else, but to no avail. “I work with children,” she said. “What would the police want with me?”

A week passed. Then, she received a phone call from a federal agent accusing her of evading arrest. “They said, ‘You’re a fugitive,’ even though I hadn’t gone anywhere,” she tells Newsweek. “They wanted information. I had nothing to give them, because I didn’t know what they were talking about.”

She was taken into custody and accused of being a key operator in a vast conspiracy to smuggle drugs into the U.S. under the direction of a high-ranking Mexican drug lord.

How did this happen? It turns out federal officials had misinterpreted her end of an intercepted phone conversation in which the caller—the father of a former college friend—asked her while visiting New Jersey where he might be able to buy recreational drugs. She told him she didn’t know, and that was that. Or so she thought. Apparently, the caller was a bad guy—previously imprisoned for drug-related offenses and, unbeknownst to her, one of 240 individuals being apprehended in connection with the Mexican drug lord. Her mistake? Picking up the phone.

Federal agents told her if she didn’t cooperate, she would face time in prison, possibly decades. Regardless of a lack of any physical evidence connecting her to drugs, the agents gave her a choice: accept a federal misdemeanor and a fine of $1,000 for simply talkingabout drugs on the phone, or be implicated in the wider conspiracy. On the advice of her lawyer, she took the former. “My lawyer said I was incredibly lucky,” she says. “I got to get on with my life.”

On July 31, 2003, U.S. Attorney General John Ashcroft announced the indictment of Ismael Zambada-Garcia, the head of one of the most powerful and ruthless drug-trafficking organizations in Mexico, as part of Operation Trifecta, along with the arrests of 62 other suspects in the U.S. and one very frightened young woman in Jersey City. He credited the success of the operation to nearly a dozen agencies and the same heightened surveillance powers as are found in the Patriot Act. “Wiretaps, pen registers and delayed notification warrants, are the same tools provided by the USA Patriot Act,” Ashcroft said, “which help law enforcement to prosecute successfully the war on terrorism.”

But Operation Trifecta was not part of the war on terrorism. It was a 19-month investigation that, according to Ashcroft, focused on “a nationwide effort on the communications of domestic cells.” Reached by Newsweek, the DOJ and the Drug Enforcement Administration, which led the probe, had no comment.

Such actions illustrate some of the possible problems of building cases based on Americans’ phone records. In the case of the woman from Jersey City, who had no criminal record, the real dangers of such sweeping powers are not just the violation of privacy and civil liberties, but the risk that the government becomes so reliant on those powers that it misleads itself.

“I am just grateful it’s over,” she says. “But I feel like if they’d researched who I was a little more instead of just relying on phone records, they probably would not have put me through all that. In the end, they didn’t know anything about me; that I was a straight-A student, that I worked with kids or how I was really living my life.”


Continue reading Judgment Day for the U.S. Surveillance State #CyberSecurity #NSA #PatriotAct